UPDATE: A Massachusetts restaurant chain was the first company fined under the state’s toughest in the nation data breach law and will have to pay $110,000 in penalties, according to a statement by the Massachusetts Attorney General. The Briar Group LLC entered into a settlement with Massachsuetts Attorney General Martha Coakley over allegations that the chain failed to protect patrons’ personal information. The case stemmed from an April, 2009 incident in which a malicious program installed on Briar’s computer systems allowed unknown hackers to access customers’ credit and debit card information. That malicious code wasn’t detected and removed until December, 2009, according to a statement from the Attorney General.

In the wake of the breach, the company – which owns and operates a number of bars and restaurants in the Boston area – didn’t take reasonable steps to secure its infrastructure. Briar Group failed to change employee login information for point of sale terminals and continued to accept credit and debit cards from customers even after it learned of the breach.

Briar Group will pay the Commonwealth $110,000 in civil penalties and prove compliance with the state’s data security regulations as well as the Payment Card Industry Data Security Standards (PCI DSS). Restaurants in the Briar Group will have to have a security password management system and PCI-compliant data security measures, the Attorney General said in a statement.

In a statement, The Briar Group said that the company believes the agreement with the Massachusetts Attorney General’s office “achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data.” However, the company took issue with the AG’s depiction of events, which suggested the restaurant company was slow in responding to knowledge of the breach of its corporate network. The company claimed that it voluntarily reported the breach to the Attorney General’s office at the time, engaged a security firm to vet its network security and informed credit card companies about what customer records may have been leaked to hackers. “The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach,” the company said in its statement.

The case is the first in which a violation of the Commonwealth’s data privacy law, 201 CMR 17, was prosecuted. That law, which took effect on March 1, 2010, is one of the toughest in the nation. It addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.

Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.

There was speculation prior to the announcement about when and how forcefully The Attorney General’s office would enforce 201 CMR 17.00, which encountered opposition from business groups for being too far reaching and costly to implement.

Reported incidents within the last year would seem to provide more fodder for settlements. Among them is a December, 2010 report of a breach at CitySights, a New York based sight seeing company that affected around 1,800 Massachusetts residents. However, the Attorney General’s Office has been tight lipped about which cases it will pursue and refuses to confirm or deny ongoing investigations, so it isn’t clear whether other settlements may be coming.

Categories: Government, Web Security

Comments (13)

  1. Anonymous

    If the dates are accurate in the article — how can you be fined when the incident occurred prior to the law going into effect? 

  2. Anonymous

    If the dates are accurate in the article — how can you be fined when the incident occurred prior to the law going into effect? 

  3. Anonymous

    “how can you be fined when the incident occurred prior to the law going into effect?”

    The article is very confusing as it says they were fined and then it says they entered into a settlement. Notice how they never said what the chain restaurant’s name is…called bad PR…quickest way to kill the business…

  4. Beyond

    In the big scheme of things this law doesn’t matter. Here’s why. Aliens built this planet using alien technology and advanced crypto algorithms. The RSA breach was done by the aliens, as their way of saying ‘don’t bite the hand that feeds you’. These local governments can establish all these breach notification laws but in the end, the aliens will come down and abolish all such laws, resulting in massive settlements among these companies against their local governments. This will apply to all platforms, UNIX, Windows, AS/400 and mainframe (most which came from alien technology leased through US government agencies in exchange for reallocation of radio spectrum frequencies that interfered with intrastellar vessels/commerce transport systems).

  5. Anonymous

    Just to be clear, where is the MA regulation does it require encryption for data at rest on servers?

    Was there an amended one?

    (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

    (5) Encryption of all personal information stored on laptops or other portable devices;


    I appreciate the article but facts are important…

  6. Anonymous

    and what restaurants does Briar Group operate?  What if I wanted to know if my personal info had been potentially compromised?

    that list would be: the green briar, the harp, m.j. o’conners, ned devine’s, parris, city bar, boston event solution, solas, the lenox hotel, the anthem kitchen and bar, and city table.

Comments are closed.